August 11, 2015

In response to a growing demand for cybersecurity guidance in the health care industry, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence, recently published a step-by-step practice guide (the Guide) on protecting medical information stored in and shared between mobile devices. The Guide is the first in NIST’s new 1800 series of publications, designed to help companies protect their information systems (the 1800 Series).

The Guide demonstrates how health care organizations can make mobile devices, such as smartphones and tablets, more secure using commercially available or open-source tools. The Guide offers tips on how to better protect patient information, while still taking advantage of advances in communications technology. Further, the Guide takes into consideration HIPAA security rules to ensure that the standards proposed comport with the federal requirements imposed on health care organizations. Although the recommendations in the Guide are not binding, it provides a foundation for what may ultimately become standard practice in the industry.

The Guide is primarily geared toward IT professionals and security engineers, but as scrutiny over the interaction with and oversight of such employees increases, corporate boards and executives should consider the following takeaways from the Guide.

Remote wiping devices: The Guide encourages health care organizations to install technology that can remotely erase data on lost or stolen mobile devices. In order to be most effective, this and other technological measures should be integrated into a comprehensive information security policy in order to ensure awareness and consent to the various protections.

Install access controls: The Guide encourages health care organizations to install multiple layers of access controls (meaning various passwords and various types of password protection) to prevent hackers from viewing patient information after such hackers breach the system.

Set up a Linux-based firewall: Linux-based firewalls are designed to block suspicious incoming and outgoing traffic on a user’s device or even block an application from using the Internet altogether.

Create mobile device certificates: Mobile device certificates supplement passwords as a means of authenticating users before they are allowed access to a system. Using mobile device certificates, a mobile operator’s credentials can be authenticated by the company’s IT department using device attributes (such as MAC addresses).

Ensure employees are able to access/use their devices: The Guide indicates that implementing security must be balanced with making sure health care workers can easily use the technology to perform their duties.

The Guide aims to protect health care organizations from the exploitation of patient information in electronic health records accessed through stolen devices and stolen system passwords (i.e., the most typical sources of data breaches). The last takeaway is especially important, as enshrouding employee devices with clunky access protections may encourage employees to compromise such access technologies, rendering the devices vulnerable to hackers.

The protection of patient information is a critical issue for health care organizations. The number of medical identity theft victims has doubled since 2010. The Guide cites a 2013 study by Ponemon Institute, which indicated that the annual cost of the health care industry’s response to medical identity theft has swelled to roughly $12 billion. Additionally, altered medical information can have dangerous results, including “misdiagnosis, delayed treatment, or incorrect prescriptions.” Corporate boards also face increased shareholder scrutiny, including possible derivative actions, in the wake of a data breach.

Accordingly, the Guide offers critical insight at a time when good cybersecurity practices are becoming both a practical and legal necessity for health care organizations. As the number of cyberattacks on health care organizations continues to rise, the Guide and the 1800 Series that NIST expects to publish can assist health care organizations, their boards, and corporate security engineers use existing technology to achieve better cybersecurity.

Ballard Spahr’s Privacy and Data Security Group assists clients in complying with regulatory privacy and data security requirements and responding to data breaches. In the event of a breach, members of the Group work with clients to quickly and effectively launch a comprehensive response under the protection of attorney-client privilege, assess the situation, and—if necessary—notify and respond to state, federal, and international regulators.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.